12-25-17 05:54 PM
418 ... 1314151617
tools
  1. brookie229's Avatar
    This thread is getting old---I think it's safe to say BB is not going to address the problem, OP. Big surprise! /s
    StephanieMaks likes this.
    11-06-17 02:23 PM
  2. bb10adopter111's Avatar
    This thread is getting old---I think it's safe to say BB is not going to address the problem, OP. Big surprise! /s
    I still think that's a very possible outcome, but I am inured to wait until the end of November before feeling "safe" to say anything. If we assume (for argument's sake) that BlackBerry would be willing to fix it if it was feasible and wouldn't break the bank, then they still would need to complete both a technical assessment and a project management/financial assessment of the fix.

    Since we can be sure it's not a top line priority for them, and would I would think the back and forth between engineers and business managers could easily take a few weeks, or even a couple of months before a decision would be finalized. I'm still a little intrigued by the fact that they just pushed an unexpected patch out a couple of weeks ago.

    But, while we might not agree on exactly what the cutoff point is, we agree that the chance of a fix declines as time passes from this point forward.

    Posted with my trusty Z10
    11-06-17 04:09 PM
  3. conite's Avatar
    I still think that's a very possible outcome, but I am inured to wait until the end of November before feeling "safe" to say anything. If we assume (for argument's sake) that BlackBerry would be willing to fix it if it was feasible and wouldn't break the bank, then they still would need to complete both a technical assessment and a project management/financial assessment of the fix.

    Since we can be sure it's not a top line priority for them, and would I would think the back and forth between engineers and business managers could easily take a few weeks, or even a couple of months before a decision would be finalized. I'm still a little intrigued by the fact that they just pushed an unexpected patch out a couple of weeks ago.

    But, while we might not agree on exactly what the cutoff point is, we agree that the chance of a fix declines as time passes from this point forward.

    Posted with my trusty Z10
    To me, whether they update or not should be an easy decision. It comes down to if they have any legal obligations to do so (ie: contracts that are still in force).
    SoundChaser007 likes this.
    11-06-17 04:14 PM
  4. brookie229's Avatar
    To me, whether they update or not should be an easy decision. It comes down to if they have any legal obligations to do so (ie: contracts that are still in force).
    Exactly. But I have a feeling we are getting mighty close to the end of those legal obligations.
    11-06-17 04:21 PM
  5. Invictus0's Avatar
    QNX is mostly in car infotainment systems and they are seldom connected to wifi. Most of the time they come with a SIM card and connects to LTE
    Perhaps but QNX is still used for more than just cars (embedded systems, medical devices, etc) and it's BlackBerry's flagship OS, these delays don't reflect well IMO.
    11-06-17 04:38 PM
  6. bb10adopter111's Avatar
    To me, whether they update or not should be an easy decision. It comes down to if they have any legal obligations to do so (ie: contracts that are still in force).
    That's certainly likely, but does that mean the recent patch that was released after several months fulfilled a legal obligation, too? And if so, why did they hold onto it so long?

    Posted with my trusty Z10
    11-06-17 04:54 PM
  7. conite's Avatar
    That's certainly likely, but does that mean the recent patch that was released after several months fulfilled a legal obligation, too? And if so, why did they hold onto it so long?

    Posted with my trusty Z10
    ¯\_(ツ)_/¯
    11-06-17 04:58 PM
  8. johnny_bravo72's Avatar
    That's certainly likely, but does that mean the recent patch that was released after several months fulfilled a legal obligation, too? And if so, why did they hold onto it so long?

    Posted with my trusty Z10
    Placebo update? 😀
    mh1983 likes this.
    11-06-17 05:16 PM
  9. Troy Tiscareno's Avatar
    Perhaps but QNX is still used for more than just cars (embedded systems, medical devices, etc) and it's BlackBerry's flagship OS, these delays don't reflect well IMO.
    1. BB10 is not QNX (it uses QNX as its foundation, but 90% of the code is specific to BB10).

    2. None of those devices you named are likely WiFi clients - many probably aren't networked at all - so most are probably unaffected anyway.

    So, not fixing something that isn't a problem for those devices is hardly going to "reflect poorly" on BB.
    11-06-17 10:49 PM
  10. Invictus0's Avatar
    1. BB10 is not QNX (it uses QNX as its foundation, but 90% of the code is specific to BB10).

    2. None of those devices you named are likely WiFi clients - many probably aren't networked at all - so most are probably unaffected anyway.

    So, not fixing something that isn't a problem for those devices is hardly going to "reflect poorly" on BB.
    1. I didn't say it was QNX but QNX does have its own WiFi driver and it's possible BB10 may be using it.

    2. We don't know the use case for every QNX device or industry and realistically it shouldn't matter. BlackBerry as an OS provider would simply have to report or patch the flaw and make it available to QNX users who would decide on integration and deployment themselves.

    Medical devices certainly do use WiFi and BlackBerry demonstrated hacking one over it a few years ago.

    https://www.healthmgttech.com/fatal-...ckberry-summit

    Edit: http://blackberry.qnx.com/en/solutio.../medical/index
    11-07-17 12:06 AM
  11. Richard Buckley's Avatar
    That's certainly likely, but does that mean the recent patch that was released after several months fulfilled a legal obligation, too? And if so, why did they hold onto it so long?

    Posted with my trusty Z10
    According to BlackBerry and CERT BlackBerry was only notified mid October. Compared to those companies that were notified in the summer that isn't a very long time.

    LeapSTR100-2/10.3.3.2205
    11-07-17 04:45 AM
  12. StephanieMaks's Avatar
    I still believe if they had decided to fix it they'd have said something by now.

    The ongoing silence wrt BB10 to me means either they have yet to even make a decision, or they've decided to do nothing and say nothing and let BB10 'support' run out the clock before quietly adding it to the list of EOL products.

    Likewise if BB10 wasn't vulnerable in the first place, they'd have mentioned that somewhere by now. It doesn't cost much to make a blog post or send a tweet.

    As to why the last update was released after such a long delay, at this point I believe BB10 is so low on their list of priorities they flat out forgot. Like, someone turned on the BB10 machine to look into the KRACK thing and discovered 'Oh yeah, there's an update waiting. Send.' <jk>
    johnny_bravo72 likes this.
    11-07-17 07:33 AM
  13. app_Developer's Avatar
    According to BlackBerry and CERT BlackBerry was only notified mid October. Compared to those companies that were notified in the summer that isn't a very long time.
    I noticed that, too. I wonder why they were notified so late?
    11-07-17 08:16 AM
  14. wingnut666's Avatar
    why would "the security company" need to be notified by another entity....LOL krackberry. buffoons.

    Posted via CBX
    11-07-17 08:45 AM
  15. conite's Avatar
    why would "the security company" need to be notified by another entity....LOL krackberry. buffoons.

    Posted via CBX
    After 10 years, a WPA2 vulnerability was discovered. Then everyone was notified.

    "KRACK (Key Reinstallation Attack) is a severe replay attack (a type of exploitable flaw) on the Wi-Fi Protected Access protocol that secures Wi-Fi connections. It was discovered in 2016 by the Belgian researchers Mathy Vanhoef and Frank Piessens of the University of Leuven. Vanhoef's research group published details of the attack in October 2017"
    11-07-17 08:49 AM
  16. bb10adopter111's Avatar
    I still believe if they had decided to fix it they'd have said something by now.

    The ongoing silence wrt BB10 to me means either they have yet to even make a decision, or they've decided to do nothing and say nothing and let BB10 'support' run out the clock before quietly adding it to the list of EOL products.

    Likewise if BB10 wasn't vulnerable in the first place, they'd have mentioned that somewhere by now. It doesn't cost much to make a blog post or send a tweet.

    As to why the last update was released after such a long delay, at this point I believe BB10 is so low on their list of priorities they flat out forgot. Like, someone turned on the BB10 machine to look into the KRACK thing and discovered 'Oh yeah, there's an update waiting. Send.'
    This is pretty much how I have thought about it, with one additional speculative nuance:

    If there still is anyone left who feels some responsibility for the security of BB10, which I think is likely, that person/small team may be advocating internally for a fix. If the scope of the work is easily digestible within the existing operating budget, they might get a green light, but the work might progress slowly with no announcement unless the fix was absolutely confirmed to be done.

    My experience working in large companies is that people generally want to do the best they can for customers within their constraints, so that solutions with a small scope that can be implemented by existing teams with existing resources can get approved if the teams advocate for it.

    The essential question is whether there is still any kind of BB10 team left at BlackBerry with the skills to develop and deploy a relatively small fix for the vulnerable WPA2 components. If there is, it's not like there are any other items on the to do list! But if there aren't, I don't see it happening.



    Posted with my trusty Z10
    StephanieMaks likes this.
    11-07-17 08:52 AM
  17. Invictus0's Avatar
    I noticed that, too. I wonder why they were notified so late?
    And what's interesting is QNX was notified in August when almost all other vendors were,

    https://www.kb.cert.org/vuls/id/CHEU-AQNN3H
    11-07-17 11:07 AM
  18. brookie229's Avatar
    None of those devices you named are likely WiFi clients - many probably aren't networked at all - so most are probably unaffected anyway.
    Disagree with this statement in that many medical devices are indeed connected both wirelessly and wired, and I might add, very unsecure. It wasn't that long ago that BB had a demo on wireless vital sign monitors that were easily hacked along with infusion pumps.
    11-07-17 11:33 AM
  19. bb10adopter111's Avatar
    Disagree with this statement in that many medical devices are indeed connected both wirelessly and wired, and I might add, very unsecure. It wasn't that long ago that BB had a demo on wireless vital sign monitors that were easily hacked along with infusion pumps.
    The IoT world is already omnipresent. There are millions of IoT sensors and other devices that are vulnerable, many of which are in critical infrastructure. With QNX, this is a large component of Blackberry's future business opportunity, and they certainly know they need to handle it very well.

    It's amazing to me how many people blithely install IoT items in their lives and business with an irrational assumption that they are safe, when in fact they are vulnerable and largely unregulated and untested.

    For example, anyone with an IoT speaker in their bedroom should realize that it would in most cases be relatively easy to record anything that happens there!

    Posted with my trusty Z10
    11-07-17 12:01 PM
  20. app_Developer's Avatar

    It's amazing to me how many people blithely install IoT items in their lives and business with an irrational assumption that they are safe, when in fact they are vulnerable and largely unregulated and untested.

    For example, anyone with an IoT speaker in their bedroom should realize that it would in most cases be relatively easy to record anything that happens there!

    Posted with my trusty Z10
    How is it relatively easy to record?
    11-07-17 12:11 PM
  21. bb10adopter111's Avatar
    How is it relatively easy to record?
    If it's an interactive speaker, it already has a microphone and protocols for analog to digital conversion and sending sound over the network. All that remains is to redirect that data somewhere else.

    Sure, they are "secured" by the manufacturers, but that's not a guarantee that they don't have unidentified vulnerabilities or, in the case of KRACK, known ones.

    Posted with my trusty Z10
    StephanieMaks likes this.
    11-07-17 02:02 PM
  22. app_Developer's Avatar
    If it's an interactive speaker, it already has a microphone and protocols for analog to digital conversion and sending sound over the network. All that remains is to redirect that data somewhere else.

    Sure, they are "secured" by the manufacturers, but that's not a guarantee that they don't have unidentified vulnerabilities or, in the case of KRACK, known ones.

    Posted with my trusty Z10
    Ok, no guarantees of course. But there is a sea between “no guanantees” and “easy to intercept”
    11-07-17 03:22 PM
  23. bb10adopter111's Avatar
    Ok, no guarantees of course. But there is a sea between “no guanantees” and “easy to intercept”
    The significance of the risk depends on several factors:

    1) The effort required to use an exploit
    2) The value of the information (or the impact of a loss of control of its confidentiality, integrity or availability)
    3) The motivations and capabilities of the actors involved.


    Posted with my trusty Z10
    11-07-17 04:42 PM
  24. Richard Buckley's Avatar
    why would "the security company" need to be notified by another entity....LOL krackberry. buffoons.

    Posted via CBX
    Because responsible disclosure means that the vulnerabilities are not released at the same time to everyone. The whole world was notified October 16th, some companies were notified in August.

    LeapSTR100-2/10.3.3.2205
    11-07-17 04:48 PM
  25. wingnut666's Avatar
    Because responsible disclosure means that the vulnerabilities are not released at the same time to everyone. The whole world was notified October 16th, some companies were notified in August.

    LeapSTR100-2/10.3.3.2205
    so they were asleep at the switch....not very 'secure'.

    Posted via CBX
    11-07-17 04:51 PM
418 ... 1314151617

Similar Threads

  1. How secure really is the Keyone finger sensor
    By dorsetshaw in forum BlackBerry KEYone
    Replies: 19
    Last Post: 10-27-17, 09:53 PM
  2. KRACK WPA2 Vulnerability on BB10
    By EFats in forum BlackBerry 10 OS
    Replies: 8
    Last Post: 10-18-17, 02:38 PM
  3. how to stop auto download of mail attachment in hub
    By madh263362 in forum BlackBerry Android OS
    Replies: 2
    Last Post: 10-17-17, 09:51 AM
  4. KEYone Keyboard scrolling issue with ads on articles
    By Turborat in forum BlackBerry KEYone Support
    Replies: 0
    Last Post: 10-17-17, 08:56 AM
  5. Problem with finger sensor on may K1
    By mikimike2 in forum BlackBerry KEYone Support
    Replies: 1
    Last Post: 10-17-17, 06:49 AM
LINK TO POST COPIED TO CLIPBOARD